doc: mention the anti-spam bypass in security.html

We had some issues with reports being marked as spam, so I added a
filter to never mark as spam something that mentions the word
"vulnerability". We get too much spam at that address to disable the
filter entirely, so instead meantion the bypass in the docs.

Change-Id: Idb4dabcf51a9dd8234a2d571cd020c970b0a582c
Reviewed-on: https://go-review.googlesource.com/c/go/+/205538
Reviewed-by: Katie Hockman <[email protected]>

Author: FiloSottile

doc/security.html

@@ -24,7 +24,11 @@ <h3>Reporting a Security Bug</h3>
 </p>
 
 <p>
-Please use a descriptive subject line for your report email.
+To ensure your report is not marked as spam, please include the word "vulnerability"
+anywhere in your email. Please use a descriptive subject line for your report email.
+</p>
+
+<p>
 After the initial reply to your report, the security team will endeavor to keep
 you informed of the progress being made towards a fix and full announcement.
 These updates will be sent at least every five days.